Feeds

Energy firms' security so POOR, insurers REFUSE to take their cash

They're turning down MULTI-MILLION pound contracts...

The Power of One eBook: Top reasons to choose HP BladeSystem

Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.

Lloyd's of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.

"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London, told the Beeb. "They are all worried about their reliance on computer systems and how they can offset that with insurance."

Infosec experts called in to review energy sector systems come back with negative reviews. And that means offering "safety net" insurance against breaches is not viable as a business proposition.

"We would not want insurance to be a substitute for security," Khudari explained.

Lloyd's operates a world renowned marketplace that offers a means to obtain commercial insurance for anything from container ships to large development projects. Insurance firms have been offering data breach insurance since at least 2009, if not earlier.

Specialist insurance firm Beazley’s client roster includes 30 per cent of the world’s top 200 oil and gas companies, as well as major banking and financial institutions. Last December the firm announced it had helped its clients recover from a combined total of 1,000 security breaches over the years. Most of Beazley’s services focus on incident response.

Separately, Allianz Global Corporate & Specialty recently unveiled a suite of products to protect businesses against issues that can arise from a serious cyber attack or data breach.

Industrial control plants at power utilities and other energy sector firms, as elsewhere, rely on SCADA (Supervisory Control and Data Acquisition) technology. These legacy systems are increasingly being connected to the internet, essentially to make them easier to manage remotely. At the same time, more and more security problems are being discovered by security researchers investigating industrial plant security in the wake of the infamous Stuxnet worm, which has made research into the formerly overlooked topic "sexy".

More and more problems are being discovered in crucial systems that are rarely patched and this creates a recipe for disaster.

Jonathan Roach, principal security consultant at Context Information Security, told El Reg: "SCADA systems have not been patched in years for various reasons: isolation of SCADA networks making the process of patching awkward; lack of motivation to perform what is sometimes seen as a risky process to a critical plant component; terms of software support contracts".

With all this in mind, it's no great surprise to find underwriters turning down lucrative energy sector insurance contracts.

Chris McIntosh, chief exec of ViaSat UK, which provides security and secure communications for clients including US energy companies, said problems obtaining insurance are a symptom of a wider malaise.

"Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home," McIntosh said. "According to a recent Zpryme Research study, half of infrastructure providers in the US believed electrical networks were insecure. While previously, attacking national energy or resource infrastructure would have involved compromising dedicated communication networks, the modernisation of these networks has made them part of the internet and so more vulnerable than ever.

"However, insurance is only a plaster over these underlying weaknesses. Organisations need to act now to protect their networks and address the unique nature of interconnected real-time control systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigueur,” said McIntosh.

“Unless energy companies demonstrate they are taking the necessary precautions, insurers will keep them at arm’s length, public trust will fall, and the resilience of the country’s critical national infrastructure will inevitably suffer as a result," he added.

Thales UK maintains the control systems for British Energy plants in the UK and is also involved in the building of the Hinkley Point B nuclear power station.

Tony Burton, critical national infrastructure protection business lead at Thales UK said ageing legacy systems at power plants need to be secured one way another. He suggested the insurance firms' stance has the potential to serve as a much needed wake-up call.

"Legacy systems, often built before the internet existed, were simply not designed with the levels of interconnection and security threat we see today," Burton said. "Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats that can ‘leap the air-gap’ via process, people and physical (eg, USB stick) vectors.

"Energy firms and other areas of critical national infrastructure are beginning to face up to this challenge and are increasingly recognising that good security is good business.”

“The insurance issue and contingency holdings are prime examples of how good security can have a positive effect on the bottom line results of these companies,” continued Burton. “However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise." ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.